Reddit user alphaxion has posted an excellent PowerShell script for backing up Palo Alto Networks firewalls that are not in Panorama

The original post can be found here.

# Define some base variables

$fwHost = "IP address here"

$apiKey = "API key here"

$ageLimit = (Get-Date).AddDays(-90)

# Configure cipher suite to avoid protocol downgrade

add-type @"

using System.Net;

using System.Security.Cryptography.X509Certificates;

public class TrustAllCertsPolicy : ICertificatePolicy {

public bool CheckValidationResult(

ServicePoint srvPoint, X509Certificate certificate,

WebRequest request, int certificateProblem) {

return true; } } "@

$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

# Bag the current running configuration

$configURI = "https://" + $fwHost + "/api/?type=export&category=configuration&key=" + $apiKey

$configExport = Invoke-WebRequest -Uri $configURI

# Generate time stamp

$timeStamp = Get-Date -UFormat "%Y%m%d-%H%M"

# Output file

$configExport.Content | Out-File -FilePath "C:\PaloBackups\config-$timeStamp.xml"

# Delete configs older than the defined number of days

Get-ChildItem -Path "C:\PaloBackups" -Exclude *.txt | Where-Object {$_.CreationTime -lt $ageLimit} | Remove-Item -Force